According to the news on March 28, according to the US technology media techcrunch, ASUS's intranet password was leaked on GitHub. An information security researcher warned ASUS two months ago that ASUS employees wrongly released the password in GitHub code base. How is ASUS intranet password leaked? Learn more about ASUS intranet password disclosure incident.
According to techcrunch, an information security researcher warned ASUS two months ago that some ASUS employees had mistakenly released passwords in the GitHub code base. These passwords can be used to access the company's intranet.
One of the passwords appears in a code base shared by an employee. With this password, researchers can access the e-mail accounts used by internal developers and engineers, so as to share nightly built applications, drivers and tools with computer users. The code base in question comes from an engineer at ASUS who has made his email account password public for at least a year. At present, although the GitHub account still exists, the code base has been cleaned up.
"It's an email that publishes an automated build every day," said the researcher, who is online as schizo Duckie. 'the mail in the mailbox contains the specific intranet path to store drivers and files. The researchers also shared multiple screenshots to confirm his findings.
The researcher did not test what information could be obtained through this account, but warned that it would be very easy to enter the enterprise intranet. "All you need is to send an email with an attachment to any recipient for a harpoon fishing attack," he says. '
Through ASUS dedicated information security email address, the researcher issued a password disclosure warning to ASUS. Six days later, he was unable to log in to the mailbox and thought the problem had been solved.
However, he later found out that there were at least two cases of ASUS engineers divulging company passwords on GitHub.
A software architect at ASUS headquarters left his user name and password on the GitHub page. Another data engineer also revealed the password in the code. "Many companies don't know what their programmers are doing with code on GitHub," the researcher said. '
One day after the media told ASUS about this, the code base containing the password was offline and cleaned up. But an ASUS spokesman said the company was "unable to confirm" what the researchers said in the email was correct. 'ASUS is actively investigating all systems, eliminating all known risks to our servers and supporting software, and ensuring that there is no data leakage. '